The invention relates generally to the software development lifecycle. More specifically, the invention relates to a framework and a method for securing a source code base during the development phase of the software development life cycle The software development life cycle includes conceptualization, a cost-benefit analysis, and detailed specifications of software requirements, design, programming, testing and maintenance. For a software program to be robust, inputs to it need to be validated to safeguard against input injection errors. Standard input validation mechanisms are used to validate the input data for its length, type, syntax and business rules before accepting the data that is to be displayed or stored. For example, a field for the entry of telephone numbers should only include digits and/or a plus/minus sign. An invalid entry/input may result in the software program becoming vulnerable. Robustness is achieved by building security routines for the source code base. Security routines help in developing a secure code. For example, the Web Application Firewall (WAF) is a server application that intercepts HTTP traffic, to check inputs into the application layer. Custom Security Routines are also used to prevent input rejection related security attacks. Similarly, Servlet filters, introduced in Java Servlet 2.3, validate HTTP request parameters to check for malicious inputs that can potentially exploit the vulnerability of an application layer.
However, some of these validation techniques are not incorporated during the development phase of the software development lifecycle currently. Further, some of these techniques are not adjustable and are not based on context-sensitive information. Context-sensitive information includes additional information related to the characteristics and behavior of the code being executed, and enables optimal usage of the security routine. Hence, in some of these validation techniques, each of the security routines is applied to each of the variables making a request for security validation. This may affect the performance of the software program.
In some of these techniques, security routines are tightly coupled with specific applications, and hence, are not flexible. Further, the creation of these security routines requires considerable expertise in programming.
In light of the foregoing, there is a need for a context-based validation framework that incorporates input validation-related security features into the software development life cycle. Further, the framework needs to be extensible, such that the validation rules can be updated without modifying the underlying source code base.